Tech Proposal: allowlist of auditors for Aragon products

Proposal Information

Proposal summary:

We need the list of default auditors, to streamline the audit process in the scope of ongoing development needs.

Previous work on the proposal area:

The suggested list of auditors was doing audits for high-profile DeFi products like Aave, Gnosis Safe, Compound, etc.

Proposal description:

Authorize the following independent auditors for code and infrastructure review of Aragon products:

• ConsensysDilligence
• Coinspect
• ZKLabs
• OpenZeppelin
• Chainsecurity
• RuntimeVerification, Inc. (RV)
• Trail of Bits
• Certik
• SigmaPrime
• PeckShield
• Mixbytes
• Certora

Proposal Rationale:

Independent audit of smart contracts, code, and infrastructure, in general, is a good practice for all financial and other high-risk products. It’s required to increase their security which leads to more trust and adoption of Aragon products.

Limitations of any benefits mentioned above:

A successful security audit doesn’t eliminate the possibility of security vulnerabilities, it decreases the risks and helps to find security problems missed by the team. It doesn’t eliminate the need for code reviews, automatic tests, and other practices which improve the security and quality of code.

Expected duration or delivery date (if applicable):

Not applicable, the list will be used when required.

Team Information

Tech committee of Aragon Network DAO (more info about members).

• Nivida
• Wenzel
• P4u

Skills and previous experience in related or similar work:

This kind of work is delegated to the tech committee of Aragon Network DAO by the Charter.

Funding Information

Not applicable, no upfront funding is required

Escrow where funds shall be transferred:

Not applicable, no upfront funding is required

More detailed description of how funds will be handled and used:

Not applicable, no upfront funding is required

Looks great @voronchuk

How much do you envisage being required for security audits over the next few months? Cc @nivida @p4u

This is important to budget for as the bill will be paid by the ESD whom are currently doing their budget for the next season. I’d like to suggest that the ESD earmark a few hundred thousand dollars as a reserve for security audits, not to be used for any other reason. Would also suggest unbundling the ESD funds proposal so that ANT holders can vote on specific parts of it, with the security audit reserves being one such part.

Tagging @lee0007 @fartunov @daniel-ospina

Really important that the Tech Committee can operate quickly with 3rd party security auditors with swift access to necessary funds.

How much do you envisage being required for security audits over the next few months? Cc @nivida @p4u

Moderate. We definitely need to have two audits for the Zaragoza core contracts and the recycled voting contracts. Any further audits required are not yet clear and depend on the requirements of the product team. But of course, in the mid to long-term, we also will need to audit version two of the Aragon Package Manager.
To have a fixed budget point for audits in the range of 200k USD would definitely make sense and speed up the process for the tech and executive committee of the ANDAO.

Has the ESD thought about establishing a specific process to act against corrupt audit assignments? I think it could be important that we are forced to ask X independent offers per audit request.

I guess one of the reasons for having a default list of auditors is to mitigate possible corruption as all those are reputable providers, without such a list it’s easier to push less known auditors. One additional measure can be requesting a quote from several auditors (tender) from the list (at least 3) and making it binding to select the one with the cheapest quote which complies with the requirements. In either case, I’m not an expert in tender flows, maybe @eaglelex, @Tayy, or @ronald_k or other community members can suggest the exact procedure if we need to include it in proposal.

Full support for this proposal. However, any further proposal to fund 200k imo should not go via ESD and should be Main DAO proposal. This is well beyond the proposed ESD scope as I understand we are established to to bootstrap AN DAO operations and strategic growth opportunities I believe decisions for major and mission-critical funding like these security audits should be undertaken via transparent, community consensus building and ultimately voted on by ANT holders

@fartunov @daniel-ospina thoughts?

Technological risk management falls within the scope of the Tech Committee. Selection criteria established by Tech Committee would ultimately determine the partnering supplier. I agree @voronchuk open tender via Request For Proposals (RFP) is a proven effective approach for selecting partner suppliers, it is however by nature a confidential process. A Finacial Proposal to the Main DAO by the Tech Committee should look to provide stakeholders transparency as to the process, selection criteria, final deliverables and expected costs.

As per the rules of charter, the ESD has the responsibility to “Pay suppliers of the Aragon network, providing such transactions are disclosed transparently on the Aragon Forum.”

So I do believe it falls firmly within the mandate of the ESD and moreover, that it would not be practical to have the main DAO cover such payments. This would create unnecessary time delays and uncertainty, potentially putting at risk the tech security of the project and codebase.

Strong support on my side. We have only to understand which is the best way to provide the funding.

I agree with @joeycharlesworth. The Charter indicates clearly that one of the responsabilities of the ESD is to “Pay suppliers of the Aragon network, providing such transactions are disclosed transparently on the Aragon Forum.” Given that auditors are in fact suppliers.

Nevertheless, what seems important to highlight is that the ESD cannot have any sort of liability for the choice of the auditors. It is a technical matter that clearly falls outside of the scope of areas in which the ESD may express some sort of discretional power.

In this regard we should carefully consider what @lee0007 wrote.

Concerning the topic of the proposal, the Charter states that the TechSD has the responsability of “Maintaining a list of whitelisted technical security auditors they deem to be sufficiently competent to audit Aragon smart contracts.”

That said I think that the scrutiny and the selection of the auditor is on the TechSD or that the TechSD has to present a proposal to the community in order to get an approval.

What I would do is selecting and enter into contact with 3 suppliers and give to the community the possibility of comparing between the three different offers. In my opinion this preliminary work should be on the TechSD because - due to their skills - they are in the best position to select the auditors.

Dear all, I think we have to clearly distinguish between choosing the audit service providers and paying such service providers. As code auditing is a critical task, the choice of the permitted service providers should be with the MainDAO. This is also important to have sufficient legitimacy and avoid situations where ESD members may be conflicted because of a potential relationship with a specific service provider.

I second Lee007’'s opinion here. Major deployment of funds is not what the ESD is designed to address.
One way to resolve the issue is to use an election process in the Main DAO (already defined in the charter) and have suppliers (from the approved list as that’s the Tech Committees remit) make proposals and the community vote to approve one of them (or none, as the community should be allowed to keep the funds in the treasury should they decide so).

It’s a similar process that was used for dID.

I agree with Renee. Given the size of the budget and the high technical expertise required to both push forward the RFP and assess the bidders and the deliverables it would make sense for the Tech sub DAO to be funded by and accountable to the main DAO directly.

We have thought about it and discussed the need for RFP style funding as opposed to “first one to raise their hand”. We have not put anything on paper however. Considering the length of the list of approved vendors what’s a minimum number of bids you perceive as adequate?

Another requirement could be to share the RFP and invite everyone on the approved list to submit a bid (best practice from my days in energy infrastructure RFPs not sure how transferable).

To clarify here, I’m not proposing that the ESD take on the role of evaluating which auditors are suitable, this is clearly not the role of the ESD and would be outside of their mandate. Selecting the auditors, negotiating the amounts that should be paid to a specific auditor and verifying the auditor has completed their work to a satisfactory level falls within the remit of the Tech Committee.

Once the Tech Committee has identified which auditor should be used as well as the price for the audit, the actual payment of the audit (which may include a deposit, balancing payment or single payment) should be made by the ESD.

Please note, the Tech Committee as per the rules of the charter does not have authority to make supplier payments - this responsibility is instead listed as a responsibility of the ESD.

@voronchuk @nivida @p4u

Another factor to bear in mind when creating this whitelist is whether or not the auditors on this list will accept payment from a DAO. It used to be the case that some, like Consensys DD required a legal entity to sign the contract and pay the funds, perhaps due to their KYC/AML policies.

Can you please confirm whether or not you have taken this into consideration and if the auditors on this whitelist will accept payment from a DAO?

Thanks.

From my side, it wasn’t part of the research as it requires the inquiry of each of those auditors and waiting for their response. By my guesstimate, such a procedure can take about 2 weeks. It’s more likely to get a positive response for such inquiry when there is an exact work to be discussed instead of a general “memorandum” about possible cooperation in the future.

@nivida @p4u what do you think?

@nivida @p4u Aragon Voice - the ultimate solution for creating and managing proposals and voting in a decentralized, cost-effective, and secure manner

Hi @nivida @p4u @voronchuk,

Hope you are having good weeks, we have got in contact with all the auditors on the Whitelist now to request there availability for the audit and DAO payment.

Will make introductions as and when there responses come through.

Kind regards,

Alex

Do we have a complete scope of what exactly needs to be audited? Would be helpful if we could add it to the forum to point security auditors to.

@nivida @p4u please vote for/against updated proposal to include Zellic as discussed in #tech-committee channel on Discord